Fortinet Discovers Critical Flaw In MS Excel

Unified threat management (UTM) solutions specialist Fortinet has announced a critical vulnerability in Microsoft Excel.

The vulnerability discovered by Fortinet’s security research team allows attackers to take over the affected system by using an .xls file sent through e-mail or uploaded to a controlled Web site.

When user opens the .xls file with the Microsoft Internet Explorer, the browser automatically calls Microsoft Excel to open the .xls file. Fortinet said that if specially crafted, this can cause Excel to crash and allow the attacker to execute arbitrary code.

This vulnerability is due to Microsoft Excel’s manipulation of specific opcode and affects users of the following software:

Microsoft Office 2000 Service Pack 3 - Microsoft Excel 2000

Microsoft Office XP Service Pack 3 - Microsoft Excel 2002

Microsoft Office 2003 Service Pack 2 - Microsoft Excel 2003/ Microsoft Office Excel Viewer 2003

Microsoft Works Suites - Microsoft Works Suite 2004 / 2005 (same as the Microsoft Excel 2002 update)

Microsoft Office 2004 for Mac

Microsoft Office v. X for Mac

The non-affected software include:

2007 Microsoft Office system - Microsoft Office Excel 2007

Microsoft Works Suites - Microsoft Works Suite 2006

Fortinet has advised MS Office users to immediately apply the update provided by Microsoft and not open Microsoft Office Excel files from non-trusted source.